MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 e79a0f2d4c3f02c119171b9e80ac8437e449202042abd347dfe712af51c8f758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 15
| SHA256 hash: | e79a0f2d4c3f02c119171b9e80ac8437e449202042abd347dfe712af51c8f758 |
|---|---|
| SHA3-384 hash: | dc2d5bba0cf1148bc8ec8b744676258ffdb5a975344832017b2f261f9e3cc82c0110b301d7963a77fcf3c1244cad2364 |
| SHA1 hash: | e06aed80de04a975755250699959a8e6d252f88e |
| MD5 hash: | bb853f64342116837a2668980b1408d8 |
| humanhash: | violet-berlin-spaghetti-princess |
| File name: | 1460531MES_S Quote.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'214'976 bytes |
| First seen: | 2024-09-10 01:40:47 UTC |
| Last seen: | 2024-09-10 02:22:11 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook) |
| ssdeep | 24576:g4lavt0LkLL9IMixoEgeaSexhv9PafRmjz4DS3Z2Fxq9MmCS:Xkwkn9IMHeaSov0fRmv4DS3Z2baPCS |
| TLSH | T19845CF0373DDC3A5C3725273BA65BB01AEBB7C2506A1F59B1FD8093DE920162921E673 |
| TrID | 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 11.6% (.EXE) Win64 Executable (generic) (10523/12/4) 7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.9% (.EXE) Win32 Executable (generic) (4504/4/1) |
| Magika | pebin |
| File icon (PE): |  |
| dhash icon | aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla) |
| Reporter |  threatcat_ch |
| Tags: | AgentTesla exe |
Intelligence
File Origin
# of uploads :
2
# of downloads :
539
Origin country :
CHVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1460531MES_S Quote.exe
Verdict:
No threats detected
Analysis date:
2024-09-10 01:41:44 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Tags:
Infostealer
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Connection attempt
Sending a custom TCP request
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Malware
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Result
Threat name:
AgentTesla, PureLog Stealer
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Threat name:
Win32.Trojan.AutoitInject
Status:
Malicious
First seen:
2024-09-10 01:41:05 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
14 of 38 (36.84%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla collection credential_access discovery keylogger spyware stealer trojan
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
fc912f70bbd9182ec655f4cba25563d2d09c71b8f968be7632c434c484b31ecb
MD5 hash:
4de61283931b2c0f215f142cd1110a28
SHA1 hash:
71274c6bfc4f0e96723ad7eccd438b200688b938
Detections:
AgentTeslaXorStringsNet
SUSP_OBF_NET_Reactor_Indicators_Jan24
MSIL_SUSP_OBFUSC_XorStringsNet
SH256 hash:
89a1360e900b21c1da450094c19fd6221799ea3817bafd37274676cee73bf70a
MD5 hash:
c1c4cfb9010e5caf40657544b3d25023
SHA1 hash:
30162f7fea04fe158b1643c0cb551bcc9a7b36a8
Detections:
AgentTeslaXorStringsNet
SUSP_OBF_NET_Reactor_Indicators_Jan24
RedLine_Campaign_June2021
MSIL_SUSP_OBFUSC_XorStringsNet
SH256 hash:
1b428ccec90c50fc19fcb200daf6fe8157102242b8fb76e4e9397d63f73bca05
MD5 hash:
136742d8412f208dc65c78b1492cf93d
SHA1 hash:
540813aeade3bfc5a59ccfcfd94c6ade3884006f
Detections:
win_samsam_auto
MAL_Malware_Imphash_Mar23_1
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
SH256 hash:
e79a0f2d4c3f02c119171b9e80ac8437e449202042abd347dfe712af51c8f758
MD5 hash:
bb853f64342116837a2668980b1408d8
SHA1 hash:
e06aed80de04a975755250699959a8e6d252f88e
Detections:
AutoIT_Compiled
Malware family:
RedNet
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal |
| MULTIMEDIA_API | Can Play Multimedia | WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW |
| WIN_BASE_EXEC_API | Can Execute other programs | KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW |
| WIN_BASE_USER_API | Retrieves Account Information | KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_NETWORK_API | Supports Windows Networking | MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.